General manager of the Payment Card Industry Security Standards Council, Bob Russo, commented on the guidelines in an interview with BankInfoSecurity, and emphasised the fact that businesses must understand where card data is stored at all times, and apply the guidance to their overall PCI compliance strategies.

Explaining further, Russo says, “Cloud is a shared responsibility. Outsourcing the management of these security controls really doesn’t equate to outsourcing your responsibility to be PCI-DSS compliant. Cloud services are not all created equally, so you need to understand what PCI-compliant cloud service really means.”